12162017-02-07 18:55:00 +0100Disable DNSSEC, DO Flag2017-02-08 08:26:12 +0100111Unclassifiedunboundserver1.6.0x86_64LinuxASSIGNEDP5enhancement---1andrewunbound-teamandrewcathyawouteroldest_to_newest36110andrew2017-02-07 18:55:16 +0100I have a case, where I don't want to use DNSSEC (crazy fool you say!).
libunbound with no trust anchor and only the iterator module enabled, still makes queries with the DO flag enabled. This is an issue for my niche use case (+ bug #715).
Beyond the obvious fact this doesn't really cause an issue for the majority of people, it feels really odd to be asking for data, that is going to be ignored when it's known not to be required as there is no validator module.36121wouter2017-02-08 08:26:12 +0100Hi Andrew,
The DNSSEC support cannot be turned off in Unbound. It always fetches signatures and DNSSEC data, in case a downstream (client or validator) needs them.
If you want to make 'weird queries' from your application, perhaps you are looking to use libldns (also from us, www.nlnetlabs.nl) that allows you to build arbitrary query packets and send them.
What is the issue with the DO flag? If no DNSSEC is used by the domain, then no DNSSEC information is returned? It should not be a problem to set this flag (it means 'the receiving server understands DNSSEC records you do not have to omit them').
Best regards, Wouter